WPFAA · Help with the Log

How to read  wpfaa.log, what the statuses mean, and what to do in each case.

Location and format

• Archive: /wp-content/uploads/wpfaa.log
• Format: [YYYY-MM-DD HH:MM:SS][dominio] [WPFAA][ESTADO] … | CLAVE:VALOR | …

Expected states

• [ALLOW] OK Passed anti-spam checks. You should then see  [WPFORMS_COMPLETE] .
• [WPFORMS_COMPLETE] WPForms has completed the submission (in Lite it is usually  entry_id=0).

Hard blocks (HARD)

• BADWORDS — Text contains forbidden word/pattern.
• HONEYPOT — Filled trap field (bot).
• TOKEN_TAMPER — Tampered hidden token (old HTML, cache, or DOM editing).
• TOKEN_INCOMPLETE:[…] — Hidden token fields are missing (page cache).
• BAD_REFERRER — Referer from another domain (possible CSRF).
• MANY_URLS — Too many links in the message.
• NO_LANG — Does not have a defined language, usually bot.

Soft locks

• TOO_FAST — Sent before MIN_SECONDS.
• EXPIRED — It’s been more than MAX_SECONDSsince the render.
• RATE_LIMIT — Exceeded RATE_LIMITin RATE_WINDOWseconds.
• IP_CHANGED — IP changed between rendering and submitting (VPN/mobile data); please reload.

Useful log fields

• IP/ XFF— Direct IP and first IP after proxy/CDN.
• METHOD, IS_AJAX, USER_ID, FORM_ID.
• SUBMIT_MS— ms since the form was displayed (useful for TOO_FAST or old cache).
• TOKEN_PHvs IP_HINT_NOW— IP fingerprint at render vs. validation; IP_HINT_CHANGEDindicates whether it changed.
• HP_FILLED— 1 if the honeypot was filled.
• REF_HOST_MISMATCH— 1 if the Referer does not match.
• BADWORD— Term/pattern that matched (if enabled).

What to do in each case

• BADWORDS — Adjust word list to avoid false positives.
• MANY_URLS — Raise the threshold if you expect multiple legitimate links.
• TOKEN_INCOMPLETE / TAMPER — Exclude the page from the cache (HTML/fragments).
• IP_CHANGED — (Legacy) Keep SOFT or upgrade MAX_SECONDSif your audience uses VPN/mobile.
• RATE_LIMIT — (Legacy) Adjust RATE_LIMIT/ RATE_WINDOWto your traffic.

Useful information

When you install the plugin, remember to clear your website’s cache so everything works properly.

In case of problems with real users like TOKEN_INCOMPLETE (Invalid Token) select the Anti-cache option on pages with forms.